Andrew Timberlake wrote:
Could I turn the handle the URIResolver specificaly for certain
Transformers or would any changes effect the entire cocoon application?
In Cocoon the transformer's URIResolver is already used by
Cocoon's own resolver, and AFAIK there is no easy way to
hook in there.
Ce
Niclas Hedhman wrote:
What kind of DoS attacks would you expect?
If I can upload an XSL, I can have an infinite loop in the XSL, and then issue
continous HTTP requests invoking that XSL, effectively eating up both RAM and
CPU time.
Also eating up bandwidth, and if the server is hot iron hook
> What is a "skin" to you? Some sites need dramatically different XSLT to
produce
> their final result.
A "skin" to me is the ability to swap look and feel within a single
application. Knowing a bit about what you guys do it seems to me that
you've got a different kind of problem (not sure what
Hi,
> -Original Message-
> From: Hunsberger, Peter [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, January 30, 2003 8:18 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: XSL Security question
>
>
> > There are definitely situations where you need to have pr
> There are definitely situations where you need to have project defined
XSLT.
Possibly so, but "skins" shouldn't be one of them? Just out of interest can
you give a concrete example?
> We use a comination of chroot jails (if shell access) and URIResolvers to
keep the
> dev-user where they shou
Hi,
> -Original Message-
> From: Hunsberger, Peter [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, January 30, 2003 7:48 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: XSL Security question
>
>
> > Where the files directory would contain a user's direc
> Where the files directory would contain a user's directory which user's
could upload
> there own versions of the stylesheets, ie. skins I would want to define a
specific
> transformer that would not affect the transformations in the rest of the
application
> but would limit the user to using b
On Thu, 2003-01-30 at 15:53, Stefano Mazzocchi wrote:
> > I would want to implement a pipeline as follows:
> >
> >
> >
> >
> >
> >
> > Where the files directory would contain a user's directory which user's could
>upload there own versions of the stylesheets, ie. skins
> > I would wa
On Thu, 2003-01-30 at 15:53, Stefano Mazzocchi wrote:
> > I would want to implement a pipeline as follows:
> >
> >
> >
> >
> >
> >
> > Where the files directory would contain a user's directory which user's could
>upload there own versions of the stylesheets, ie. skins
> > I would wa
Andrew Timberlake wrote:
On Wed, 2003-01-29 at 22:35, J.Pietschmann wrote:
Stefano Mazzocchi wrote:
Another possibility would be to have the XSLT transformer being 'locked'
and avoid accessing anything that is not included in the stylesheet
(that means: forbidding document() and extensions,
On Thursday 30 January 2003 14:30, Andrew Timberlake wrote:
> What kind of DoS attacks would you expect?
If I can upload an XSL, I can have an infinite loop in the XSL, and then issue
continous HTTP requests invoking that XSL, effectively eating up both RAM and
CPU time.
Niclas
---
On Wed, 2003-01-29 at 22:35, J.Pietschmann wrote:
> Stefano Mazzocchi wrote:
> > Another possibility would be to have the XSLT transformer being 'locked'
> > and avoid accessing anything that is not included in the stylesheet
> > (that means: forbidding document() and extensions, maybe imports to
Stefano Mazzocchi wrote:
Another possibility would be to have the XSLT transformer being 'locked'
and avoid accessing anything that is not included in the stylesheet
(that means: forbidding document() and extensions, maybe imports too)
maybe the xalan team has something ready for this already?
copying xalan-dev:
Andrew Timberlake wrote:
I don't know all the capabilities of XSL and would like to know if there
is a security risk in allowing users to upload any XSL files to be used
in a 'skins' type of application?
My one concern would be using the document('') methods to load and
display
Xalan, at least, allows access to the Bean Scripting Framework
as well => access any class.
> From: Andrew Timberlake [mailto:[EMAIL PROTECTED]]
>
> I don't know all the capabilities of XSL and would like to
> know if there is a security risk in allowing users to upload
> any XSL files to be u
I don't know all the capabilities of XSL and would like to know if there
is a security risk in allowing users to upload any XSL files to be used
in a 'skins' type of application?
My one concern would be using the document('') methods to load and
display other files from the system?
If this is not a
16 matches
Mail list logo
